Google Removes Vulnerable Library from Android

Google this week released the November 2018 set of security patches for its Android platform, which address tens of Critical and High severity vulnerabilities in the operating system.

The addressed issues include remote code execution bugs, elevation of privilege flaws, and information disclosure vulnerabilities, along with a denial of service. Impacted components include Framework, Media framework, System, and Qualcomm components.

“The most severe vulnerability in this section could enable a proximate attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” Google explains.

The Internet giant also announced that the Libxaac library has been marked as experimental and is no longer used in production of Android builds. The reason for this is the discovery of multiple vulnerabilities in the library, and Google lists 18 CVEs impacting it.

As usual, the search company split the fixes into two parts, with the 2018-11-01 security patch level, addressing 17 flaws, including four rated Critical severity (all of which impact Media framework).

This security patch level fixes 7 elevation of privilege bugs (two rated Critical, four High severity, and one Medium), three remote code execution bugs (two Critical and one High severity), six information disclosure issues (all rated High severity) and one denial of service (Medium).

The 2018-11-05 security patch level, on the other hand, patches 19 issues, three of which were rated Critical.

Two of the bugs impact the Framework component, while the remaining 17 were addressed in Qualcomm components, including 14 issues in Qualcomm closed-source components (3 Critical and 11 High risk).

According to Google, it has no reports of active customer exploitation or abuse of these issues. The company also notes that exploitation of vulnerabilities is more difficult on newer versions of Android and encourages users to update as soon as possible.

In addition to these patches, Pixel and Nexus devices receive fixes for three additional vulnerabilities. These include an elevation of privilege in HTC components and two other bugs in Qualcomm components. All three are rated Medium severity.

“All Pixel devices running Android 9 will receive an Android 9 update as part of the November OTA. This quarterly release contains many functional updates and improvements to various parts of the Android platform and supported Pixel devices,” Google says.

A series of functional updates were also pushed to these devices, to improve performance for the use of picture-in-picture, Strongbox symmetric key generation requests, and stability for notifications.